Virtual communication endpoint services

ABSTRACT

Customers can utilize resources of a multi-tenant environment to provide one or more services available to various users. In order to simplify the process for these customers, the multi-tenant environment can include an infrastructure wherein a portion of the resources provide an authentication and/or authorization service that can be leveraged by the customer services. These resources can logically sit in front of the resources used to provide the customer services, such that a user request must pass through the authorization and authentication service before being directed to the customer service. Such resources can provide other functionality as well, such as load balancing and metering.

This application is a continuation of allowed U.S. application Ser. No.15/261,069, filed Sep. 9, 2016, which is a continuation of U.S.application Ser. No. 13/682,248, now U.S. Pat. No. 9,444,800, filed Nov.20, 2012, both entitled “VIRTUAL COMMUNICATION ENDPOINT SERVICES,” whichare incorporated herein by reference for all purposes.

BACKGROUND

As an increasing number of applications and services are being madeavailable over networks such as the Internet, an increasing number ofcontent, application, and/or service providers are turning totechnologies such as cloud computing. Cloud computing, in general, is anapproach to providing access to electronic resources through services,such as Web services, where the hardware and/or software used to supportthose services is dynamically scalable to meet the needs of the servicesat any given time. A customer typically will rent, lease, or otherwisepay for access to resources through the cloud, such that the customerdoes not have to purchase and maintain the hardware and/or software toprovide access to these resources. A potential disadvantage to such anapproach, at least from a customer point of view, is that the resourcestypically are at a location under control of the provider of thoseresources, and thus are out of the direct control of the customer. Inorder to help ensure that resources allocated to the customer performtasks only under direction of that customer, the provider environmentcan support tasks such as request authentication and authorization toprevent unauthorized access to services offered by the customer throughresources of the provider environment. In many cases, however, thecustomer does not want to be responsible for managing the authenticationand/or authorization processes.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments in accordance with the present disclosure will bedescribed with reference to the drawings, in which:

FIG. 1 illustrates an example environment in which various embodimentscan be implemented;

FIG. 2 illustrates an example configuration using a request managementservice for providing authentication and authorization that can be usedin accordance with various embodiments;

FIG. 3 illustrates an example process for managing requests using aservice in a multi-tenant environment that can be utilized in accordancewith various embodiments; and

FIG. 4 illustrates example components of a computing device that can beutilized in accordance with various embodiments.

DETAILED DESCRIPTION

Systems and methods in accordance with various embodiments of thepresent disclosure may overcome one or more of the aforementioned andother deficiencies experienced in conventional approaches to managingaspects of multi-tenant resources in a computing environment. Inparticular, various embodiments provide mechanisms for ensuringauthorized access to one or more shared resources in the computingenvironment, as well as managing credentials for customers of themulti-tenant environment. Customers can obtain access to the sharedresources, but in many cases will not want to be responsible formanaging the authentication and/or authorization processes for thoseresources. The customers may therefore desire request authentication andauthorization services to be managed by the provider of the resources.These request authentication and authorization services can enablecustomers to offer their own services to others of the provider'scustomers. They can also enable customers to leverage a granularpermissions system provided by the provider without needing to buildtheir own request authentication and authorization systems.

One or more of the resources in a multi-tenant environment can beutilized as a virtual load balancer (i.e., in place of a dedicatedhardware load balancer), in order to direct requests to the appropriateresources, services, and/or endpoints in the multi-tenant environment.Such resources also can be utilized to perform request authenticationand authorization, for at least certain types of requests, requests forcertain customers or resources, etc. The authentication and/orauthorization can be performed before passing the request to a targetedresource or service, and the request can be annotated withauthentication and authorization information resulting from the process.Such a process enables authentication and authorization to be providedas part of a request management service that can be leveraged by variouscustomers having services offered through the multi-tenant environment.An additional benefit of such functionality is that tasks such asper-customer throttling and metering can be integrated with the virtualload balancer, as the multi-tenant environment can have access toinformation such as request volume and pricing information.

It should be understood, however, that in at least some embodiments oneor more separate resources (physical or virtual) can be used forauthentication, authorization, and other such tasks described andsuggested herein that is used for load balancing. The service can makeit easier for customers to provide services in the multi-tenantenvironment, and can enable customers to build their own services on topof the infrastructure in the multi-tenant environment. These servicesoffered by customers of a multi-tenant environment are referred toherein as virtual endpoints, as may include virtual applicationprogramming interfaces (APIs). These services can be authored in atleast some embodiments by programmatically configuring request servicesof the environment to provide a virtual API. In some embodiments virtualAPIs may be consumed from other customer accounts within themulti-tenant environment, while in other embodiments the virtual APIsmay be consumed only within the account offering them. In embodimentswhere virtual APIs may be consumed across accounts, access to resourceswithin the calling account may be granted by the call to the virtualAPI, in to enable the virtual API to service the request. In at leastsome embodiments, the defining of a virtual API can be performed withoutfirst providing payment to the provider. Resources used in theprovisioning of virtual API services then can be direct-billed to thecaller of the virtual API, optionally with mark-up or other information.

Various other applications, processes, and uses are presented below withrespect to the various embodiments.

FIG. 1 illustrates an example environment 100 in which aspects of thevarious embodiments can be implemented. In this example a customer of amulti-tenant environment 106 is able to utilize a client device 102 tosubmit requests across at least one network 104 to at least onedesignated address or interface of the multi-tenant environment 106. Theclient device can include any appropriate electronic device operable tosend and receive requests, messages, or other such information over anappropriate network and convey information back to a user of the device.Examples of such client devices include personal computers, tabletcomputers, smart phones, notebook computers, and the like. The at leastone network 104 can include any appropriate network, including anintranet, the Internet, a cellular network, a local area network (LAN),or any other such network or combination, and communication over thenetwork can be enabled via wired and/or wireless connections. Themulti-tenant environment 106 can be supported and/or offered by aresource provider, and can include any appropriate components forreceiving requests and returning information or performing actions inresponse to those requests.

As an example, the environment might include Web servers and/orapplication servers for receiving and processing requests, thenreturning data, Web pages, video, audio, or other such content orinformation in response to the request. In many cases, the customer willhave an account with the provider of the multi-tenant environment thatindicates which resources or types of resources the customer can access,an amount of that access, types of tasks that can be performed with thataccess, or other such terms. One or more users might be associated withthe customer, and thus can be able to access the resources per thecustomer account.

In various embodiments, the environment 106 may include various types ofresources that can be utilized by multiple users for a variety ofdifferent purposes. In at least some embodiments, all or a portion of agiven resource or set of resources might be allocated to a particularcustomer or allocated for a particular task, for at least a determinedperiod of time. The sharing of these resources from a multi-tenantenvironment is often referred to as resource sharing, Web services, or“cloud computing,” among other such terms and depending upon thespecific environment and/or implementation. In this example themulti-tenant environment includes a plurality of resources 114 of one ormore types. These types can include, for example, application serversoperable to process instructions provided by a user or database serversoperable to process data stored in one or more data stores 116 inresponse to a user request. As known for such purposes, the customer canalso reserve at least a portion of the data storage in a given datastore. Methods for enabling a customer to reserve various resources andresource instances are well known in the art, such that detaileddescription of the entire process, and explanation of all possiblecomponents, will not be discussed in detail herein.

In at least some embodiments, a user wanting to utilize at least aportion of the resources 114 can submit a request that is received to aninterface layer 108 of the multi-tenant environment 106. The interfacelayer can include application programming interfaces (APIs) or otherexposed interfaces enabling a user to submit requests to themulti-tenant environment. The interface layer 108 in this example canalso include other components as well, such as at least one Web server,routing components, load balancers, and the like. When a request toprovision a resource is received to the interface layer 108, forexample, information for the request can be directed to a resourcemanager 110 or other such system, service, or component configured tomanage user accounts and information, resource provisioning and usage,and other such aspects. A resource manager 110 receiving the request canperform tasks such as to authenticate an identity of the user submittingthe request, as well as to determine whether that user has an existingaccount, or is associated with a customer having an existing account,with the resource provider, where the account data may be stored in atleast one data store 112 in the provider environment. A user can provideany of various types of credentials in order to authenticate an identityof the user to the provider. These credentials can include, for example,a username and password pair, biometric data, a digital signature, orother such information. The provider can validate this informationagainst information stored for the user. If the user has an account withthe appropriate permissions, status, etc., the resource manager candetermine whether there are adequate resources available to suit theuser's request, and if so can provision the resources or otherwise grantaccess to the corresponding portion of those resources for use by theuser for an amount specified by the request. This amount can include,for example, capacity to process a single request or perform a singletask, a specified period of time, or a recurring/renewable period, amongother such values. If the user is not associated with a valid accountwith the provider, an associated account does not enable access to thetype of resources specified in the request, or another such reason ispreventing the user from obtaining access to such resources, acommunication can be sent to the user (or associated customer) to enablethe user to create or modify an account, or change the resourcesspecified in the request, among other such options.

Once the user and/or request is authenticated, the account verified, andthe resources allocated, the user can utilize the allocated resource(s)for the specified capacity, amount of data transfer, period of time, orother such metric. In at least some embodiments, a user might provide asession token or other such credentials with subsequent requests inorder to enable those requests to be processed on that user session. Theuser can receive a resource identifier, specific address, or other suchinformation that can enable the client device 102 to communicate with anallocated resource without having to communicate with the resourcemanager 110, at least until such time as a relevant aspect of the useraccount changes, the user is no longer granted access to the resource,or another such aspect changes.

The resource manager 110 (or another such system or service) in thisexample can also function as a virtual layer of hardware and softwarecomponents that handles control functions in addition to managementactions, as may include provisioning, scaling, replication, etc. Theresource manager can utilize dedicated APIs in the interface layer 108,where each API can be provided to receive requests for at least onespecific action to be performed with respect to the data environment,such as to provision, scale, clone, or hibernate an instance. Uponreceiving a request to one of the APIs, a Web services portion of theinterface layer can parse or otherwise analyze the request to determinethe steps or actions needed to act on or process the call. For example,a Web service call might be received that includes a request to create adata repository.

An interface layer 108 in at least one embodiment includes a scalableset of customer-facing servers that can provide the various APIs andreturn the appropriate responses based on the API specifications. Theinterface layer also can include at least one API service layer that inone embodiment consists of stateless, replicated servers which processthe externally-facing customer APIs. The interface layer can beresponsible for Web service front end features such as authenticatingcustomers based on credentials, authorizing the customer, throttlingcustomer requests to the API servers, validating user input, andmarshalling or unmarshalling requests and responses. The API layer alsocan be responsible for reading and writing database configuration datato/from the administration data store, in response to the API calls. Inmany embodiments, the Web services layer and/or API service layer willbe the only externally visible component, or the only component that isvisible to, and accessible by, customers of the control service. Theservers of the Web services layer can be stateless and scaledhorizontally as known in the art. API servers, as well as the persistentdata store, can be spread across multiple data centers in a region, forexample, such that the servers are resilient to single data centerfailures.

An advantage of providing customer services through a multi-tenantenvironment is that the environment can provide a significant amount ofscalability, as additional resources can be added or removed from aservice as necessary in order to support the workload at a given time,within the limits of the terms of use of the customer with the providerof the multi-tenant environment. When an environment supports multiplesuch services, which can have a frequently changing number of resourcesallocated to supporting those services, it can be difficult to utilizeconventional hardware devices such as hardware load balancers where thedistribution paths for the requests can be constantly changing and thedevices need to be continually reconfigured. In order to simplify theprocess in at least some aspects, certain multi-tenant environmentsutilize some of the resources offered through the environment to provideload balancing using a “virtual” load balancer. Such an approach isadvantageous as new load balancing resources can be added, and resourcesremoved, as needed due to changes in demand. Further, during periods oflower volume the resources can be used for other tasks, maximizingutilization of the resources versus having a full set of hardware loadbalancers that will most of the time be underutilized.

FIG. 2 illustrates an example situation 200 wherein one of the resources114 of the multi-tenant environment has been configured to function as aload balancer 202 that logically sits along a path between the interfacelayer 108 of the multi-tenant environment and the resources 114, datastores 116, and other components or endpoints used to support customerservices in the multi-tenant environment. It should be understood thatreference numbers may be carried over for similar components betweenfigures for purposes of simplicity of explanation, but such usage shouldnot be interpreted as a limitation on the various embodiments unlessotherwise stated. In this example, the load balancer 202 may be one of aplurality of resources providing a load balancing service that can beleveraged by customers to improve the distribution of requests acrossvarious resources allocated to the customer, in order to improve theefficiency and performance of the customer service. A virtual loadbalancer or load balancer service can also perform tasks such as tomonitor the health of backend services, as well as to handle the scalingand redundancy, etc.

Approaches in accordance with various embodiments can utilize thisinfrastructure to also offer customer service-accessible authenticationand other request management services, which can perform tasks such asrequest authentication (including but not limited to requestcanonicalization and signature verification) and authorization (such aspolicy language evaluation). These resources and/or services thus canfunction as virtual endpoints, such as virtual application programminginterface (API) endpoints, to which users can direct requests, such asWeb service requests. The virtual endpoints then can perform tasks suchas authentication and authorization for the request, which can includeauthentication based at least in part upon clientAuth SSL, signedassertions, and Internet Protocol Security (IPSec) functionality, amongothers. Request authentication and authorization can be performed on arequest received from a client device 102 over a network 104 to aninterface layer 108 of the multi-tenant environment, which is thendirected to the virtual endpoint as if the endpoint is an API forreceiving Web service calls to the customer service. If the request issuccessfully authenticated and/or authorized, information for theauthentication and/or authorization can be added to the request, whichcan then be forwarded to the appropriate resources 114 allocated tosupporting the customer service.

In some embodiments, such a request management service can accept signedrequests from customers as may be generated using one or more softwaredevelopment kits (SDKs), which can correspond to public protocols or beavailable from a provider of the multi-tenant environment. The servicecan determine information such as the entity that signed the request,the key or credential that way used, any policies that should be appliedto the request, and ultimately whether the request should be forwardedto the corresponding client service. Determining this information caninclude tasks such as parsing incoming requests, building anauthorization context, extracting and verifying signatures, performingbasic authorization, and passing additional metadata about anauthenticated identity for a request to the appropriate client service.As used herein, a “signature” refers to any cryptographic annotation ofa message including, but not limited to, symmetric messageauthentication such as HMAC, asymmetric digital signature such as RSA orDSA, etc.

In at least some embodiments, each user wanting to access a customerservice that was the request management service might have to have anaccount with a provider of the multi-tenant environment. Such anapproach can be beneficial as the request management service can haveproof that the request was received from another customer of theenvironment, placing the request management service in a strong positionto selectively enable, subject to the instructions of the customer, anamount of forward access in the environment.

FIG. 3 illustrates an example process 300 for managing requests for acustomer service in a multi-tenant environment that can be utilized inaccordance with various embodiments. It should be understood that, forany process discussed herein, there can be additional, fewer, oralternative steps, performed in similar or different orders, or inparallel, within the scope of the various embodiments unless otherwisestated. In this example, a request is received 302 from a user of acustomer service (who may also be a customer of the multi-tenantenvironment) to the request management service, which can function as anabstraction of an API endpoint in at least some embodiments. Asdiscussed, the request might be sent to a virtual API or other suchendpoint that causes the request to be directed to the requestmanagement service. The request in this example is signed by the userusing a signature algorithm and credentials associated with the userand/or the customer. The request management service can utilize acanonicalization algorithm or other such approach to determine whetherthe signature used to sign the request is valid and/or matches anappropriate string or credential for the user and/or customer service.The canonicalization process can be used in order to handle proxies,client libraries, or other bumps along the software path that mightmodify the request but retain the semantic meaning of the request. Adetermination then can be made 304 as to whether the signature is avalid signature. The service in some embodiments might consult a localcache, such as the cache 204 in FIG. 2, in order to determineappropriate signing material to attempt to verify the signatureautonomously. In other embodiments, the service might transmit someinformation for the request to a separate authentication andauthorization service, such as the service 206 in FIG. 2, that is ableto analyze the information, determine the alleged signor as well as thevalidity of the signature. The service can be located across the atleast one network 104, or can communicate directly with the interface108 and/or load balancer 202. That service then may return informationabout who signed the request, as may include an identifier andpotentially one or more other attributes. In some embodiments, a policymight be applied to that identity either by the authentication serviceor the request management service. The request management service thencan determine whether the signature of the request is valid based atleast in part upon the identity of the user and any applicable policy.

If the signature is determined not to be a valid signature, the requestis denied 306. If the signature is determined to be a valid signature,the request management service in some embodiments might also need todetermine a logical authorization question to be answered, as maycorrespond to the request being made, the action being taken, and theresource to be acted upon. The request management service in someembodiments can also attempt to retrieve any additional policies withrespect to the customer service and/or associated resource(s). Therequest management service in some embodiments is be configured broadlywith a policy about the set of user who are able to make requests. Insome embodiments the request management service may check whether acaller has subscribed to the service or has otherwise agreed to payrelevant charges. Any applicable policies then can be evaluated 308 todetermine whether to allow the request. If the request is determined 310to not be allowed, the request can be rejected 312. If the request isdetermined to be allowed, the request can be forwarded 314 to thecustomer service, and in at least some embodiments information about theuser associated with the request can be sent as well. In someembodiments the additional information might also be signed, andinformation about allowed and/or rejected requests can be written to anaudit log for the request management service.

In some embodiments, a request management service can be leveraged bycustomers for resources or services that are not offered via themulti-tenant environment. For example, a customer might be a provider ofan application that accesses the customer's servers for various tasks,but the customer might not want to be responsible for storing thesecurity credentials, managing the authorization process, etc., suchthat the customer might subscribe to the request management service tomanage these and other such tasks on the customer's behalf. In someembodiments a customer might own an identity pool and might trust themulti-tenant environment, but not the end users, to authenticate againstthe identity pool. In some embodiments, a user can authenticate to therequest management service, acting as a virtual endpoint, and then theresource management service can make a signed assertion about theidentity of the user and one or more tasks that the user is authorizedto perform according to one or more customer rules or policies. In thisway, the symmetric keys or other credentials used to authenticaterequests never need to be exposed to the customer or other suchentities.

A request management service can perform various other types of tasks aswell. For example, once information about a user submitting a request isknown, a degree of partitioning can be performed for the user. There canalso be some amount of throttling or request shaping performed based atleast in part upon the user, and any limits for the user can be enforcedas well.

In some embodiments a customer does not need to specify anyconfiguration information. A customer can subscribe to a requestmanagement service for purposes of authentication without anyauthorization, in which can the request management service does not needconfiguration information around the semantics of requests.

In embodiments where such configuration information is needed, one ormore policies might be used to determine that configuration information.In some embodiments, one or more translations might be performed on apolicy before passing along that policy. A translation might beperformed in order to filter out things that are irrelevant, perform anyapplicable preprocessing, and/or convert a policy into an equivalentlanguage that might be supported in a particular environment. Thus, areceived policy might be authenticated and then translated intosomething that the customer's policy evaluation engine can evaluate. Inthis case the policy might be specified by the user, who can be acustomer of the customer. The request management service can take thecollection of all such policies, which may include irrelevant policiesfor other services, and remove information that is relevant to thisparticular service. The policy then can be translated and compiled to anappropriate language, such as JavaScript, that can be evaluated withrespect to a different environment.

In some embodiments, the request management service can determine atleast a set of actions that are being taken. Configuration and/or rulesmight be provided to enable the request management service to parse areceived request and determine actions and/or resources corresponding tothe request, enabling the service to perform policy evaluation. Theconfiguration might include a set of policies, which might be used tomodel things such as subscriptions. Policies might then be stored asassociated with resources, services, or customers. A first customermight utilize the request management service to specify a virtual APIendpoint for a specific customer service. The first customer might havepolicies about the other customers subscribed to the service that areable to make calls into the service, and what those calls can include.For example, a second customer who is subscribed to the customer servicemight be able to call certain functionality but not certain otherfunctionality, as may depend upon the type of account or relationshipwith the second customer. That account may also have one or more userswithin the account, policies can be set to restrict individual userswithin that account to particular subsets of the functionality.

In some embodiments, upon determining an action and a resource, therequest management service can attempt to determine an additional policythat may be set with respect to a particular resource. In someembodiments the call can be in the form of a Web services call to acustomer endpoint, or can involve a read of a particular resource. Acustomer can be able to store policies associated with the resources,and can express query rules for how policies are to be retrieved and/orapplied. Such an approach enables a customer offering the endpoint toleverage additional policies in place for specific resources.

Another advantage to various approaches discussed herein is thatrequests that fail validation can be absorbed up to a fairly high levelin the network stack, providing for an amount of denial of service (DoS)attack mitigation. The multi-tenant environment typically can scale asneeded, and can detect potentially fraudulent requests as various levelsof the network stack, thus being more resistant to DoS attacks. As usedherein, a “fraudulent request” refers, without limitation, to a requestintended to consume resources without payment, intended to interferewith the proper operation of the service, intended to increase the costof operating the service disproportionately, attempting to deny accessto legitimate users of the service, attempting to access data withoutauthorization, and/or attempting to repeatedly access a resource towhich access is denied. Further, there are multiple levels at which themulti-tenant environment can reject a request. For example, an interfacelayer might be able to identify things that do not appear to be validsignatures before the signatures are actually evaluated. Certainrequests can be denied that can be determined to fail even if thesignature is correct. In some embodiments, load can be shaped based atleast in part upon an alleged signor to limit the amount of resourcesthat is dedicated to any particular user. Requests can be discarded thatdo not appear to correspond to valid credentials. Such functionality canbe offered for both single-tenant and multi-tenant implementations, andfor multi-tenant implementations there can be more than one API off ofthe same software stack.

In at least some embodiments, traffic can be monitored to determinetrends for denied requests, such that subsequent requests can be blockedbased at least in part upon those trends. The request management servicecan emit metrics on resource consumption, such as bandwidth, processortime, number of I/O operations, number of database operations,additional requests for the resources resulting from the requestsallowed for a user, the total number of requests processed, the numberof valid requests, the number of invalid requests, the top requestor,source IP reputation, and other such information. Where requests aretracked per user, in some embodiments at least some of the charge forthe network bandwidth might be moved from the customer to the user, atleast when the user meets or exceeds a certain amount of usage.Different types of users might also have their requests routeddifferently, such that some users might have their requests routed to adedicated resource, while other users might have to share a certain setof resources. In some embodiments, this denial of service mitigationservice may be offered as an optional feature at extra cost or somesubset of the mitigations may be offered for additional cost.

FIG. 4 illustrates a logical arrangement of a set of general componentsof an example computing device 400. In this example, the device includesa processor 402 for executing instructions that can be stored in amemory device or element 404. As would be apparent to one of ordinaryskill in the art, the device can include many types of memory, datastorage, or non-transitory computer-readable storage media, such as afirst data storage for program instructions for execution by theprocessor 402, a separate storage for images or data, a removable memoryfor sharing information with other devices, etc. The device typicallywill include some type of display element 406, such as a touch screen orliquid crystal display (LCD), although devices such as portable mediaplayers might convey information via other means, such as through audiospeakers. As discussed, the device in many embodiments will include atleast one input element 410 able to receive conventional input from auser. This conventional input can include, for example, a push button,touch pad, touch screen, wheel, joystick, keyboard, mouse, keypad, orany other such device or element whereby a user can input a command tothe device. In some embodiments, however, such a device might notinclude any buttons at all, and might be controlled only through acombination of visual and audio commands, such that a user can controlthe device without having to be in contact with the device. In someembodiments, the computing device 400 of FIG. 4 can include one or morenetwork interface elements 408 for communicating over various networks,such as a Wi-Fi, Bluetooth, RF, wired, or wireless communicationsystems. The device in many embodiments can communicate with a network,such as the Internet, and may be able to communicate with other suchdevices.

Example environments discussed herein for implementing aspects inaccordance with various embodiments are primarily Web-based, as relateto Web services and cloud computing, but it should be appreciated that,although a Web-based environment is used for purposes of explanation,different environments may be used, as appropriate, to implement variousembodiments. Client devices used to interact with various embodimentscan include any appropriate device operable to send and receiverequests, messages, or information over an appropriate network andconvey information back to a user of the device. Examples of such clientdevices include personal computers, smart phones, handheld messagingdevices, laptop computers, set-top boxes, personal data assistants,electronic book readers, and the like. The network can include anyappropriate network, including an intranet, the Internet, a cellularnetwork, a local area network, or any other such network or combinationthereof. Components used for such a system can depend at least in partupon the type of network and/or environment selected. Protocols andcomponents for communicating via such a network are well known and willnot be discussed herein in detail. Communication over the network can beenabled by wired or wireless connections, and combinations thereof

It should be understood that there can be several application servers,layers, or other elements, processes, or components, which may bechained or otherwise configured, which can interact to perform tasks asdiscussed and suggested herein. As used herein the term “data store”refers to any device or combination of devices capable of storing,accessing, and retrieving data, which may include any combination andnumber of data servers, databases, data storage devices, and datastorage media, in any standard, distributed, or clustered environment.The application server can include any appropriate hardware and softwarefor integrating with the data store as needed to execute aspects of oneor more applications for the client device, handling a majority of thedata access and business logic for an application. The applicationserver provides access control services in cooperation with the datastore, and is able to generate content such as text, graphics, audio,and/or video to be transferred to the user, which may be served to theuser by the Web server in the form of HTML, XML, or another appropriatestructured language in this example. The handling of all requests andresponses, as well as the delivery of content between a client deviceand a resource, can be handled by the Web server. It should beunderstood that the Web and application servers are not required and aremerely example components, as structured code discussed herein can beexecuted on any appropriate device or host machine as discussedelsewhere herein.

A data store can include several separate data tables, databases, orother data storage mechanisms and media for storing data relating to aparticular aspect. The data store is operable, through logic associatedtherewith, to receive instructions from a server, and obtain, update, orotherwise process data in response thereto. In one example, a user mightsubmit a search request for a certain type of item. In this case, thedata store might access the user information to verify the identity ofthe user, and can access the catalog detail information to obtaininformation about items of that type. The information then can bereturned to the user, such as in a results listing on a Web page thatthe user is able to view via a browser on the user device. Informationfor a particular item of interest can be viewed in a dedicated page orwindow of the browser.

Each server typically will include an operating system that providesexecutable program instructions for the general administration andoperation of that server, and typically will include a non-transitorycomputer-readable medium storing instructions that, when executed by aprocessor of the server, allow the server to perform its intendedfunctions. Suitable implementations for the operating system and generalfunctionality of the servers are known or commercially available, andare readily implemented by persons having ordinary skill in the art,particularly in light of the disclosure herein.

The environment in one embodiment is a distributed computing environmentutilizing several computer systems and components that areinterconnected via communication links, using one or more computernetworks or direct connections. However, it will be appreciated by thoseof ordinary skill in the art that such a system could operate equallywell in a system having fewer or a greater number of components than areillustrated in FIGS. 1 and 2. Thus, the depictions of various systemsand services herein should be taken as being illustrative in nature, andnot limiting to the scope of the disclosure.

Various aspects can be implemented as part of at least one service orWeb service, such as may be part of a service-oriented architecture.Services such as Web services can communicate using any appropriate typeof messaging, such as by using messages in extensible markup language(XML) format and exchanged using an appropriate protocol such as SOAP(derived from the “Simple Object Access Protocol”). Processes providedor executed by such services can be written in any appropriate language,such as the Web Services Description Language (WSDL). Using a languagesuch as WSDL allows for functionality such as the automated generationof client-side code in various SOAP frameworks.

Most embodiments utilize at least one network that would be familiar tothose skilled in the art for supporting communications using any of avariety of commercially-available protocols, such as TCP/IP, OSI, FTP,UPnP, NFS, CIFS, and AppleTalk. The network can be, for example, a localarea network, a wide-area network, a virtual private network, theInternet, an intranet, an extranet, a public switched telephone network,an infrared network, a wireless network, and any combination thereof.

In embodiments utilizing a Web server, the Web server can run any of avariety of server or mid-tier applications, including HTTP servers, FTPservers, CGI servers, data servers, Java servers, and businessapplication servers. The server(s) also may be capable of executingprograms or scripts in response requests from user devices, such as byexecuting one or more

Web applications that may be implemented as one or more scripts orprograms written in any programming language, such as Java®, C, C# orC++, or any scripting language, such as Perl, Python, or TCL, as well ascombinations thereof. The server(s) may also include database servers,including without limitation those commercially available from Oracle®,Microsoft®, Sybase®, and IBM®.

The environment can include a variety of data stores and other memoryand storage media as discussed above. These can reside in a variety oflocations, such as on a storage medium local to (and/or resident in) oneor more of the computers or remote from any or all of the computersacross the network. In a particular set of embodiments, the informationmay reside in a storage-area network (“SAN”) familiar to those skilledin the art. Similarly, any necessary files for performing the functionsattributed to the computers, servers, or other network devices may bestored locally and/or remotely, as appropriate. Where a system includescomputerized devices, each such device can include hardware elementsthat may be electrically coupled via a bus, the elements including, forexample, at least one central processing unit (CPU), at least one inputdevice (e.g., a mouse, keyboard, controller, touch screen, or keypad),and at least one output device (e.g., a display device, printer, orspeaker). Such a system may also include one or more storage devices,such as disk drives, optical storage devices, and solid-state storagedevices such as random access memory (“RAM”) or read-only memory(“ROM”), as well as removable media devices, memory cards, flash cards,etc.

Such devices also can include a computer-readable storage media reader,a communications device (e.g., a modem, a network card (wireless orwired), an infrared communication device, etc.), and working memory asdescribed above. The computer-readable storage media reader can beconnected with, or configured to receive, a computer-readable storagemedium, representing remote, local, fixed, and/or removable storagedevices as well as storage media for temporarily and/or more permanentlycontaining, storing, transmitting, and retrieving computer-readableinformation. The system and various devices also typically will includea number of software applications, modules, services, or other elementslocated within at least one working memory device, including anoperating system and application programs, such as a client applicationor Web browser. It should be appreciated that alternate embodiments mayhave numerous variations from that described above. For example,customized hardware might also be used and/or particular elements mightbe implemented in hardware, software (including portable software, suchas applets), or both. Further, connection to other computing devicessuch as network input/output devices may be employed.

Storage media and computer readable media for containing code, orportions of code, can include any appropriate media known or used in theart, including storage media and communication media, such as but notlimited to volatile and non-volatile, removable and non-removable mediaimplemented in any method or technology for storage and/or transmissionof information such as computer readable instructions, data structures,program modules, or other data, including RAM, ROM, EEPROM, flash memoryor other memory technology, CD-ROM, digital versatile disk (DVD) orother optical storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, or any other medium which canbe used to store the desired information and which can be accessed bythe a system device. Based on the disclosure and teachings providedherein, a person of ordinary skill in the art will appreciate other waysand/or methods to implement the various embodiments.

The specification and drawings are, accordingly, to be regarded in anillustrative rather than a restrictive sense. It will, however, beevident that various modifications and changes may be made thereuntowithout departing from the broader spirit and scope of the invention asset forth in the claims.

What is claimed is:
 1. A system to manage requests for a service,comprising: at least one processor; and memory storing instructionsthat, when executed by the at least one processor, cause the system to:provide access to an endpoint interface for a service by a virtual loadbalancer of a multi-tenant environment; receive a communication to avirtual endpoint for the service from a computing device of a user, thecommunication including a signature generated using at least onesecurity credential; determine whether the signature is a validsignature and whether the communication is allowed according to one ormore policies associated with the communication; and forward thecommunication to the endpoint interface for the service when thesignature is a valid signature and the communication is determined to beallowed.
 2. The system of claim 1, wherein the multi-tenant environmentcomprises a plurality of resources that are shared among a plurality ofcustomers, wherein the user is associated with a first customer of theplurality of customers, and wherein the instructions, when executed bythe at least one processor, further cause the system to: allocate aresource associated with a second customer of the plurality of customersfor use by the service.
 3. The system of claim 1, wherein theinstructions, when executed by the at least one processor, further causethe system to: annotate the communication with authentication andauthorization information resulting from determining whether thesignature is a valid signature and whether the communication is allowed.4. The system of claim 1, wherein the instructions, when executed by theat least one processor, further cause the system to: transmit at least aportion of the communication to a separate authentication andauthorization service; receive information about the communication fromthe separate authentication and authorization service; and determinewhether the signature is a valid signature based at least in part on theinformation about the communication from the separate authentication andauthorization service.
 5. The system of claim 1, wherein theinstructions, when executed by the at least one processor, further causethe system to: receive information about the communication from a localcache; and determine whether the signature is a valid signature based atleast in part on the information about the communication from the localcache.
 6. The system of claim 1, wherein the communication is generatedusing at least one software development kit associated with at least onepublic protocol.
 7. The system of claim 1, wherein the instructions,when executed by the at least one processor, further cause the systemto: retrieve the one or more policies associated with the communicationbased on at least one of a resource associated with the communication, acustomer associated with the resource, or a service associated with thecommunication.
 8. A computer-implemented method, comprising: receiving,by a virtual load balancer of a multi-tenant environment, acommunication to a virtual endpoint from a computing device of a user,the communication including a signature generated using at least onesecurity credential; determining, by the virtual load balancer of themulti-tenant environment, whether the signature is a valid signature andwhether the communication is allowed according to one or more policiesassociated with the communication; and forwarding, by the virtual loadbalancer of the multi-tenant environment, the communication to anendpoint interface for a service when the signature is a valid signatureand the communication is determined to be allowed.
 9. Thecomputer-implemented method of claim 8, wherein the multi-tenantenvironment comprises a plurality of resources that are shared among aplurality of customers, wherein the user is associated with a firstcustomer of the plurality of customers, and wherein thecomputer-implemented method further comprises: allocating a resourceassociated with a second customer of the plurality of customers for useby the service.
 10. The computer-implemented method of claim 8, furthercomprising: annotating the communication with authentication andauthorization information resulting from determining whether thesignature is a valid signature and whether the communication is allowed.11. The computer-implemented method of claim 8, further comprising:transmitting at least a portion of the communication to a separateauthentication and authorization service; receiving information aboutthe communication from the separate authentication and authorizationservice; and determining whether the signature is a valid signaturebased at least in part on the information about the communication fromthe separate authentication and authorization service.
 12. Thecomputer-implemented method of claim 8, wherein the communication isgenerated using at least one software development kit associated with atleast one public protocol.
 13. The computer-implemented method of claim8, further comprising: retrieving the one or more policies associatedwith the communication based on at least one of a resource associatedwith the communication, a customer associated with the resource, or aservice associated with the communication.
 14. A non-transitorycomputer-readable storage medium including instructions that, whenexecuted by at least one processor of a computer system, cause thecomputer system to: provide access to an endpoint interface for aservice by a virtual load balancer of a multi-tenant environment;receive a communication to a virtual endpoint for the service from acomputing device of a user, the communication including a signaturegenerated using at least one security credential; determine whether thesignature is a valid signature and whether the communication is allowedaccording to one or more policies associated with the communication; andforward the communication to the endpoint interface for the service whenthe signature is a valid signature and the communication is determinedto be allowed.
 15. The non-transitory computer-readable storage mediumof claim 14, wherein the multi-tenant environment comprises a pluralityof resources that are shared among a plurality of customers, wherein theuser is associated with a first customer of the plurality of customers,and wherein the instructions, when executed, further cause the computersystem to: allocate a resource associated with a second customer of theplurality of customers for use by the service.
 16. The non-transitorycomputer-readable storage medium of claim 14, wherein the instructions,when executed, further cause the computer system to: annotate thecommunication with authentication and authorization informationresulting from determining whether the signature is a valid signatureand whether the communication is allowed.
 17. The non-transitorycomputer-readable storage medium of claim 14, wherein the instructions,when executed, further cause the computer system to: transmit at least aportion of the communication to a separate authentication andauthorization service; receive information about the communication fromthe separate authentication and authorization service; and determinewhether the signature is a valid signature based at least in part on theinformation about the communication from the separate authentication andauthorization service.
 18. The non-transitory computer-readable storagemedium of claim 14, wherein the instructions, when executed, furthercause the computer system to: receive information about thecommunication from a local cache; and determine whether the signature isa valid signature based at least in part on the information about thecommunication from the local cache.
 19. The non-transitorycomputer-readable storage medium of claim 14, wherein the communicationis generated using at least one software development kit associated withat least one public protocol.
 20. The non-transitory computer-readablestorage medium of claim 14, wherein the instructions when executedfurther cause the computer system to: retrieve the one or more policiesassociated with the communication based on at least one of a resourceassociated with the communication, a customer associated with theresource, or a service associated with the communication.